Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Cisco PIX open ports on outside interface?

Re: Cisco PIX open ports on outside interface?

From: istong <istong_at_zuniversity.com>
Date: Sat, 9 Dec 2000 18:37:47 -0500

Last I checked the default is to deny all and you explicit specify what to
permit. I have only been able to manage PIX systems from an inside
interface (even after specifying a telnet outside command). Based on your
conduit permit or access-list scenario below you should be fine. No telnet
from the outside.

One interesting side note is the addition of being able to SSH to the PIX.
This has been added in the 5.2x code release. I can't use it though as it
is limited to basic setups and not advanced ones like I implement. Beware
of the 5.2x code as there is a bug which breaks the alias command. We use
the alias command on the PIX to rewrite DNS entries so we can access
internal systems that have a public DNS entry. Without it you would do a
DNS lookup on system_at_yourdomain.com and it would return the public address
to you. But with you and the system behind the firewall - you will never
get to it using it's public address.

FYI,

Ian

----- Original Message -----
From: "Smith, Gary (SCOTAM)" <gary.smith_at_ScottishAmicable.co.uk>
To: <firewall-wizards_at_nfr.com>
Sent: Tuesday, December 05, 2000 11:21 AM
Subject: [fw-wiz] Cisco PIX open ports on outside interface?

> All:
>
> I have an acl on the outside interface of a pix that allows:
>
> 80 & 443 to a web server on the DMZ
> 25 to a mail server on the DMZ
>
> and then has an explicit deny ip any any rule.
>
> When a security company ran a strobe against the outside interface they
> claim that both Telnet and Cisco Secure Telnet were open on the outside
> interface (although they couldn't connect) and I have also verified that
> port 80 is open with the following returned after a get /
>
> <!-- $ID: file://depot/prod/ontap/Rbrutus/prod/netcache/errors/500.html#1
$ -->
>
> I couldn't verify the telnet ports were open (though I don't know what
they
> used to test, I used netcat), we do have remote administration enabled but
I
> remember reading somewhere that this was only on the inside interface
> (though this might be version 4.x.x documentation).
>
> Should any ports be open on the outside interface by default? Where is
this
> documented?
>
> Any and all help gratefully received.
>
> --Gary;
>
>
>
>
> **********************************************************************
> Information contained herein is the sole responsibility of the Individual
> sending the message. No responsibility is admitted by Scottish Amicable
> for any loss or damage incurred through use of the email. In addition, no
> statement should be construed as giving investment advice within or
> outside the United Kingdom.
> An email reply to this address may be subject to interception or
monitoring
> for operational reasons or for lawful business practices.
> *********************************************************************
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_nfr.com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Dec 12 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]